Cookie Law

What is the EU "Cookie Law?"

This is in fact an EU Directive (No. 2002/58/EC), known as the E-Privacy Directive, which was amended in 2009 to require consent for cookies and similar technologies. These controversial new cookie rules were widely condemned by business as unnecessary, impractical and burdensome but, despite a storm of protest, they somehow managed to enshrine themselves into EU law.

What is the UK implementation date for the new cookie laws?

EU governments had until 25 May 2011 to implement the changes into their own law. The UK did so by means of the pithily-named "Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The UK Information Commissioner announced a 12-month grace period until May 2012 during which formal action was unlikely to be taken against those taking steps to comply but thereafter the regulations would be enforced in the normal way.

Didn't the existing cookie regulations already require consent?

No. Until the change in May 2011, the requirement was simply to give "clear and comprehensive information" about cookies to website users together with the opportunity to opt out. Website operators could comply with these cookie rules quite easily by including the information and opt-out details in their privacy policies.

Now, the cookie regulation says that, not only must you give users the information about cookies but you must also obtain their consent to place them in the first place (subject to some exceptions mentioned below).

So you can no longer comply with cookie laws by simply including a cookie "spiel" in your privacy policy. You have to do more.

Do the new cookie regulations require consent for all cookies?

There are some exceptions, e.g. for cookies which are strictly necessary for the provision of a service. This may apply to say cookies used to remember what users have placed in their shopping baskets or to provide essential security for online payments but it is unlikely to cover to analytical or advertising cookies.

Do the cookie rules say that I have to use a tick box to get consent?

Consent is "any freely given specific and informed indication of wishes" by which a person signifies agreement". In other words, the user has to effect some form of communication which unambiguously indicates consent to cookies. And the user must fully understand what is being agreed to.

A tick box is just one way to achieve this but there are other routes. We work with clients to find a legal / technical consent mechanism which fits as seamlessly as possible into the structure of their sites.

Helpfully for website owners, guidance from the Information Commissioner's office indicates that an "implied consent" option will suffice, e.g. where the first page of a site contains a prominent cookie notice and the user navigates past this to the next page.

What are the penalties for not complying with the cookie regulation?

The Information Commissioner can impose fines up to £500,000 in the most serious cases.

How Adlex Solicitors can assist with advice on the EU Cookie Law ...

... for a free initial chat and more information, contact web solicitor Adam Taylor on +44 (0) 207 317 8404 or email.

Or email us your telephone number to request a callback